From c758c178b04c897aeb4d76acc07925419d3cba9c Mon Sep 17 00:00:00 2001
From: Graham Savage <graham@kosli.com>
Date: Tue, 23 Jun 2026 17:18:17 +0100
Subject: [PATCH] Include AWS account ID in drift plan files

The apply and detect-drift workflows wrote a drift.plan.json containing
only the deployed SHA and a drift flag. Because we deploy the same SHA to
every environment via a matrix, the resulting files were byte-for-byte
identical across environments and therefore shared a fingerprint. Kosli
treats same-fingerprint artifacts as the same artifact, so Environment
snapshots reported a single arbitrarily-chosen drift file as deployed
everywhere, producing confusing Slack and UI messages.

Add the AWS account ID (already looked up when computing the state bucket
name) as an extra key so each environment's drift plan is unique and gets
a distinct fingerprint.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/apply.yml        | 3 ++-
 .github/workflows/detect-drift.yml | 5 +++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/apply.yml b/.github/workflows/apply.yml
index b0e0c08..6d65479 100644
--- a/.github/workflows/apply.yml
+++ b/.github/workflows/apply.yml
@@ -98,10 +98,11 @@ jobs:
           ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
           HASH=$(printf '%s-%s' "$ACCOUNT_ID" "${{ inputs.aws_region }}" | sha1sum | cut -d' ' -f1)
           echo "S3_BUCKET=terraform-state-${HASH}" >> "$GITHUB_ENV"
+          echo "AWS_ACCOUNT_ID=${ACCOUNT_ID}" >> "$GITHUB_ENV"
 
       - name: Create drift plan
         run: |
-          jq -n --arg sha "${{ github.event.pull_request.head.sha || github.sha }}" '{sha: $sha, drift: false}' > /tmp/drift.plan.json
+          jq -n --arg sha "${{ github.event.pull_request.head.sha || github.sha }}" --arg account "$AWS_ACCOUNT_ID" '{sha: $sha, drift: false, aws_account_id: $account}' > /tmp/drift.plan.json
 
       - name: Upload drift plan to S3
         run: |
diff --git a/.github/workflows/detect-drift.yml b/.github/workflows/detect-drift.yml
index c40e34f..98d4f4e 100644
--- a/.github/workflows/detect-drift.yml
+++ b/.github/workflows/detect-drift.yml
@@ -115,12 +115,13 @@ jobs:
           ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
           HASH=$(printf '%s-%s' "$ACCOUNT_ID" "${{ inputs.aws_region }}" | sha1sum | cut -d' ' -f1)
           echo "S3_BUCKET=terraform-state-${HASH}" >> "$GITHUB_ENV"
+          echo "AWS_ACCOUNT_ID=${ACCOUNT_ID}" >> "$GITHUB_ENV"
 
       - name: Build drift plan
         run: |
           TIMESTAMP=$(date -u +%Y-%m-%dT%H:%M:%SZ)
-          jq -n --arg sha "${{ needs.fetch-baseline.outputs.sha }}" --arg drift "$TIMESTAMP" \
-            '{sha: $sha, drift: $drift}' > /tmp/drift.plan.json
+          jq -n --arg sha "${{ needs.fetch-baseline.outputs.sha }}" --arg drift "$TIMESTAMP" --arg account "$AWS_ACCOUNT_ID" \
+            '{sha: $sha, drift: $drift, aws_account_id: $account}' > /tmp/drift.plan.json
           echo "DRIFT_TIMESTAMP=${TIMESTAMP}" >> "$GITHUB_ENV"
 
       - name: Upload drift plan to S3